| ▲ | RandomGerm4n 10 hours ago |
| I attestation should be abolished altogether. An app should have absolutely no way of knowing what kind of device it’s running on or what changes the user has made to the system. It is up to each individual to ensure the security of their own device. App developers should do no more than offer recommendations. If someone wants to use GrapheneOS, root their device (not recommended), or run the whole thing in an emulator, a homemade compatibility layer under Linux, or a custom port for MS-DOS, that should be possible. |
|
| ▲ | reddalo 10 hours ago | parent | next [-] |
| Exactly. It's my own device, I can do whatever I please with it. There shouldn't be an automated way for apps to check if my device has been blessed by the US tech giants or not. |
| |
|
| ▲ | viktorcode 2 hours ago | parent | prev | next [-] |
| > An app should have absolutely no way of knowing what kind of device it’s running on or what changes the user has made to the system. and therefore the app cannot give a reasonable guarantee that it is not running in an adversarial environment that actively tries to break the app's integrity. Thus, the app cannot be used as a verified ID with governmental level of trust. |
| |
| ▲ | Aachen an hour ago | parent | next [-] | | There's a difference between needing to lock down the whole OS and just the secure element. The secure hardware component can sign a challenge and prove possession of a private key without you being able to extract it. Smartcards have done this for decades (most people here will know an implementation under the name Yubikey). Conveying authentic information across untrusted channels (your phone screen, say) has been a solved problem since asymmetric cryptography was invented back before I was born | |
| ▲ | pona-a 2 hours ago | parent | prev | next [-] | | If your app needs to be protected from harm, it cannot protect the user from said harm. I hoped software engineering culture was lucky to not have the same precepts that make lockpicking a crime in the real world, that we successfully make it into common knowledge that you can't grant any trust to the client, but it seems "trusted computing" is making some of us unlearn that lesson. | |
| ▲ | like_any_other an hour ago | parent | prev [-] | | > an adversarial environment that actively tries to break the app's integrity Can you elaborate on what this means? Who is the adversary? What kind of 'integrity'? This sounds like the kind of vague language DRM uses to try to obscure the fact that it sees the users as the enemy. An XBox is 'compromised' when it obeys its owner, not Microsoft. |
|
|
| ▲ | kodebach 8 hours ago | parent | prev | next [-] |
| I agree, you should be able to run anything you want, root your device, etc., but you also have to accept the consequences of that. If an app can no longer verify its own integrity, certain features are simply impossible to implement securely. Think of it this way: A physical ID (which is what we're trying to replace here) also has limitations, it looks a certain way, has a certain size, etc. Just because somebody wants a smaller ID or one with a larger font or a passport in a different colour or whatever, doesn't mean that this should be allowed or possible. Some limitations exist for a good reason |
| |
| ▲ | RandomGerm4n 8 hours ago | parent | next [-] | | Users have the right to modify any app running on their own device. Software security should never depend on the user having no control over their own device. Smartphones are essentially just regular computers, and on them you can use a debugger and do whatever you want. Viewing smartphones as closed systems like game consoles where you need the manufacturer’s permission for everything only leads us into the dystopia that Richard Stallman described as early as 1997 in his short story "The Right to Read" | | |
| ▲ | viktorcode 2 hours ago | parent | next [-] | | To become dystopia people must be forced to use locked down smartphones. In reality you buy the one that suits your needs and do not enforce your design decisions on the smartphones other people use. | |
| ▲ | Avamander 5 hours ago | parent | prev [-] | | Once SafetyNet was brought to Android a decade ago the tendency has been clear - these freedoms are going to be restricted heavily. Because how do you make sure it's the user who does those modifications, willingly and well-informed? That it's not a malicious actor, not an user getting socially engineered or phished? Incredibly difficult compared to the current alternative. If it's not a software root of trust that provides an attestable environment like Android or iOS. It's going to be a hardware root of trust that provides an attestable hardware environment, like SGX. I can predict no other practical avenue taken. Unless the orangutan really forces a demonstration on how untrustworthy these environments can be and a lot of money and effort is spent. | | |
| ▲ | lvass 4 hours ago | parent | next [-] | | You can maybe, trust the user to handle it's own certificate in their own devices?
Though I admit requiring attestation is probably a good default. | | |
| ▲ | Avamander 3 hours ago | parent [-] | | One important feature of a legal ID is that it's hard to copy, so attestation from the hardware storage would have to be basically mandatory. But yeah, the user could have a choice to this extent. |
| |
| ▲ | 649028763 4 hours ago | parent | prev [-] | | [dead] |
|
| |
| ▲ | applfanboysbgon 8 hours ago | parent | prev | next [-] | | Comparing being able to run the hardware and software of your choice to "wanting a passport in a different color or whatever" is so completely fucked, and it's beyond insane as a justification for giving two American tech companies with a well established track record for doing evil control over your citizens' ID. The world has gone absolutely mad, what the fuck am I even witnessing? It is quite literally becoming 1984 in front of my eyes, with people
complying completely voluntarily and openly advocating for it, not even a threat of force to make it happen. | | |
| ▲ | Avamander 6 hours ago | parent | next [-] | | You keep lashing out at people in this thread. Demanding full control over something like an ID will fundamentally not happen. The same way you won't have full control over the way passports or paper bills are made. Take for example the expectation that some poor fool's ID can't be cloned and reused by malicious actors - full control directly contradicts that. It will not and must not be possible. | | |
| ▲ | applfanboysbgon 2 hours ago | parent [-] | | We don't need 'full control' over an ID. We need the status quo, where we have mostly have control over our devices, and where paper IDs are still the foundation of society. Things are fine the way they are. There are problems, sure, but no problems that are made better by an all-encompassing surveillance state. If I am lashing out, it is because this is perhaps the most dangerous thing I've ever seen proposed, and it is deeply distressing how people are sleepwalking into it. To be honest, if I were German, I would probably just kill myself the day I was legally mandated by my government to register my identity with Google. That might sound hyperbolic, but I'm really not kidding. I have lived with privacy, anonymity, and freedom for all of my life. If the future of this world is one where the government and Google have complete control over every single thing you do, I'd rather die having lived a satisfying life than witness the horrors that are to come. |
| |
| ▲ | viktorcode 2 hours ago | parent | prev [-] | | > with a well established track record for doing evil control Can you please elaborate on that record? | | |
| ▲ | applfanboysbgon 2 hours ago | parent [-] | | The clauses are [with a well established track record for doing evil] [control over your citizens' ID], if that's not clear. I wonder from where your quote cut off if my sentence was misunderstood. As to the well-established track record of doing evil... gestures broadly everything? Google in particular has built an empire on stripping away people's privacy, and they regularly ruin people's livelihood by eg. shutting down Youtube accounts incorrectly with automated systems and no way of ever reaching a human for support unless you're famous enough to make it a PR issue. Apple is the same, just recently with a thread on HN lamenting that Apple was destroying their business because they revoked their dev license, or in other words, a private company unilaterally revoked the ability of a business to create mobile software for billions of devices. And now we want to give them control over our IDs? ???????????????????????? |
|
| |
| ▲ | GranPC 5 hours ago | parent | prev | next [-] | | Well, in that case, if they want full control and attestation yadda yadda, I'm fine with them shipping me a device they fully control exclusively for use of this stuff. But if we're talking about my smartphone that I paid for with my money that I worked for, I will do whatever I damn please with it. So I guess that means eIDAS will be inaccessible to me. | |
| ▲ | aenis 4 hours ago | parent | prev [-] | | True, but its really hard to name a family of commercial devices with security features in hardware, including serious security features, which were not eventually hacked. Worse still, for new mainstream devices that are believed to be safe the state sponsored actors will likely operate unpublished exploits, and will exploit the misplaced faith people and judiciary will put in device attestation. I dont think the very likeable people who worked on Pegasus found themselves respectable jobs - they are likely still selling that sophisticated crap to all authoritarian regimes. |
|
|
| ▲ | aenis 4 hours ago | parent | prev | next [-] |
| Exactly this. And whats more, the idea of device attestation makes people trust those devices, and the history of rooting consoles and phones proves that nothing holds, even tech backed by billions in commercial interest. The whole point in reducing the blast radius is valid - by all means make this optional and allow the user to elect to tie their identity to the device. For everyone else, implement validation of actual transactions, not just user secrets and device secrets. |
|
| ▲ | no_time 6 hours ago | parent | prev [-] |
| This is the original sin of modern computing. Almost all anti user features are only made possible because we didn't pass laws against "secure elements" that serve the maker and not the owner when NGSCB got announced. |
